The Maine Online Data Privacy Act (also referred to in the bill as the Maine Data Privacy and Protection Act) is a proposed comprehensive consumer data privacy law introduced in the Maine Legislature in 2025 as LD 1822. It establishes rules for how businesses collect, use, share, sell, and protect the personal information of Maine residents. If enacted in its current form, the law would take effect on July 1, 2026.
Who It Applies To
The law applies to businesses (called “controllers”) that conduct business in Maine or target products/services to Maine residents, and that meet one of these thresholds in the previous calendar year:
- Controlled or processed personal data of at least 35,000 Maine consumers (excluding data used only for completing payment transactions), or
- Controlled or processed personal data of at least 10,000 Maine consumers and derived more than 20% of gross revenue from the sale of personal data.
Who It Does Not Apply To
Several entities and data types are exempt, including:
- State government agencies, political subdivisions, and federally recognized Indian tribes in Maine
- Many nonprofit organizations (certain 501(c)(3), (c)(4), (c)(6), (c)(12) types)
- Institutions of higher education
- Certain supervised financial organizations, service corporations, and insurers complying with other Maine or federal rules
- Health care facilities, practitioners, and their affiliates covered by HIPAA
- Broadband internet access service providers (for data related to providing that service)
- Data regulated under federal laws such as GLBA (financial information), HIPAA (protected health information), FCRA (credit reporting), FERPA (education records), and others
- Employment, B2B, or contractor data collected in a work context
What Counts as Personal Data
Personal data is any information that is linked — or can reasonably be linked — to an identified or identifiable Maine resident (a “consumer”) or to a device associated with that person. It excludes de-identified data and truly publicly available information.
Sensitive data receives heightened protection and includes:
- Data revealing racial or ethnic origins, religious beliefs, sexual orientation, gender identity, or citizenship/immigration status
- Consumer health data (including data related to gender-affirming care or reproductive health services)
- Genetic data or biometric data
- Precise geolocation data (within a radius of approximately 1,750 feet)
- Social Security number, driver’s license number, or state ID number
- Financial account log-in credentials or security codes
- Personal data of a known minor (under 18)
- Data indicating status as a victim of crime
Your Rights as a Maine Resident
If a covered business processes your personal data, you have the right to:
- Confirm whether a controller is processing your personal data and access that data
- Correct inaccuracies in your personal data
- Request deletion of your personal data (unless retention is required by law)
- Obtain a portable and readily usable copy of your data to transfer to another controller
- Receive a list of third parties to whom the controller has sold your personal data (or categories if individual tracking isn’t maintained)
- Opt out of processing for:
- Targeted advertising
- Sale of your personal data
- Profiling in furtherance of decisions that produce legal or similarly significant effects (e.g., employment, housing, credit, insurance, education, or health care)
How to Exercise Your Rights
Businesses must provide secure and accessible methods for submitting requests (you should not need to create a new account). Responses are due within 45 days (extendable once by 45 days for complex cases). The first request per 12-month period is free; excessive, repetitive, or unfounded requests may be subject to a reasonable fee. You can appeal denials, and if the appeal is denied, you can contact the Maine Attorney General to file a complaint.
Authorized agents, parents/guardians (for children), or court-appointed guardians/conservators may exercise rights on your behalf in many cases.
Opt-Out for Advertising, Sales, and Profiling
Businesses that sell personal data, engage in targeted advertising, or profile in ways that lead to significant decisions must clearly disclose these practices and provide an easy opt-out mechanism by using tools like the ones developed by Captain Compliance. By July 1, 2026, they must also recognize consumer-friendly global opt-out preference signals.
Special Protections and Prohibitions
- No sale of sensitive data
- No targeted advertising or sale of data when the business knows (or should know) the consumer is a minor
- Prohibition on geofencing within 1,750 feet of health care facilities to collect, track, or target consumers regarding health data (except by the facility operator itself)
- Sensitive data may only be collected/processed if strictly necessary to provide the specific product or service you requested
- Consent must be clear, specific, informed, voluntary, and free of dark patterns
- Businesses must implement reasonable data security practices and retention schedules (delete data when no longer needed unless you consent otherwise or law requires retention)
- Contracts with data processors must require confidentiality, security, and deletion/return of data at the end of the relationship
Privacy Notice Requirements
Covered businesses must post a clear, accessible privacy notice that includes:
- Categories of personal data processed (including sensitive data)
- Purposes of processing
- How to exercise your rights and revoke consent
- Categories of third parties with whom data is shared
- Retention periods or criteria
- Contact information (email or online mechanism)
Data Protection Assessments
For high-risk activities — such as targeted advertising, data sales, sensitive data processing, or certain profiling — businesses must conduct and document assessments that weigh benefits against potential risks to consumers.
Enforcement
Only the Maine Attorney General can enforce the law (no private right of action). Violations are treated as unfair trade practices. For violations occurring on or before April 1, 2027, the AG may (at discretion) issue a 60-day notice to cure before taking action. The AG is required to submit a report to the Legislature by February 1, 2027 on implementation and operation of the law.
Comparison to Other State Privacy Laws
| Feature | Maine (proposed, eff. Jul 2026) | California (CCPA/CPRA) | Virginia (VCDPA) | Colorado (CPA) | Maryland (MODPA, eff. Oct 2025) |
|---|---|---|---|---|---|
| Applicability thresholds | 35k consumers OR 10k + 20% sales revenue | $25M revenue OR 100k consumers OR 50% sales | 100k consumers OR 25k + 50% sales | 100k consumers OR 25k + targeted ads/sales revenue | Similar to Maine (35k OR 10k + revenue %) |
| Sensitive data protections | Very broad (health, reproductive, gender-affirming, minors, victim status); no sales; strict necessity only | Broad (health, precise geo, SSNs); some opt-in | Broad (health, biometric, geo); opt-in for some | Broad (health, biometric); opt-in | Broad with strong health focus; no sales |
| Main consumer rights | Access, correct, delete, portability, opt-out (ads/sale/profiling), buyer list | Similar + usage limits | Access, correct, delete, opt-out (ads/sale/profiling) | Similar + appeals | Similar + strong opt-out |
| Data protection assessments | Required for high-risk activities | Limited risk assessments | Required for high-risk | Required | Required for heightened risk |
| Global opt-out signal support | Required by Jul 2026 | Required | Recognized | Recognized | Strong support |
| Private right of action | No (AG only) | Yes (limited to data breaches) | No | No | No |
| Cure period before enforcement | Discretionary 60-day (pre-Apr 2027) | No (in most cases) | Limited cure | Eliminated in some amendments | Limited or none |
| Unique features | Health facility geofence ban; strong minor and health data rules | Dedicated enforcement agency (CPPA) | Business-friendly baseline | Rulemaking authority | Closely mirrors Maine draft |
If enacted as drafted, the Maine Online Data Privacy Act would provide Maine residents with some of the strongest consumer data protections in the United States — particularly for health data, minors, and exploitative tracking practices.
Businesses that meet the applicability thresholds should begin preparing now: update privacy notices, implement opt-out mechanisms, review data minimization practices, and conduct required assessments well before the July 1, 2026 effective date. The final enacted text may include amendments, so monitor legislative developments. For specific compliance guidance, consult a qualified attorney.
